Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
1
Replies

Security Questions - LMS 3.2 and ACS integration

Go to solution
max12341234
Level 1
Level 1

‎10-08-2009 05:11 AM

Hi,

I recently integrated an LMS 3.2 installation with ACS by following the "CiscoWorks LMS integration with Cisco Secure ACS" white paper. I used a similar structure with central administrators and sub-groups (such as "NorCal" in the white paper) which have SupserAdmin rights to a limited set of devices based on an NDG. It works exactly as expected.

A security person on my team has 2 security questions that I'm trying to research the answers.

1. Since the causer Windows account is used to execute all batch jobs, is there any way for someone in the the sub-group "NorCal" to execute a batch job that gives him access to devices outside his designated NGD or does he have the ability to generate reports for devices outside his NDG?

2. If the sub-group "NorCal" is given SuperAdmin rights to the LMS Server NDG as per the White Paper, does this let the sub-group change LMS settings that affect the central administrators?

Thanks!

--Max

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎10-08-2009 08:34 AM

1. No. As long as that user uses the GUI or CLI tools within LMS, ACS device restrictions will apply. Any violation of that would generally be considered a bug.

2. Yes. If they are granted Super User privileges, they can modify LMS settings. If you remove System Administrator rights, then they will not be able to modify LMS system settings.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎10-08-2009 08:34 AM

1. No. As long as that user uses the GUI or CLI tools within LMS, ACS device restrictions will apply. Any violation of that would generally be considered a bug.

2. Yes. If they are granted Super User privileges, they can modify LMS settings. If you remove System Administrator rights, then they will not be able to modify LMS system settings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents